Re: [Acme] Handling non-conformant CAA property names in ACME-CAA
Corey Bonnell <CBonnell@trustwave.com> Tue, 10 July 2018 12:09 UTC
Return-Path: <CBonnell@trustwave.com>
X-Original-To: acme@ietfa.amsl.com
Delivered-To: acme@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id DFEF6131131 for <acme@ietfa.amsl.com>; Tue, 10 Jul 2018 05:09:30 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2
X-Spam-Level:
X-Spam-Status: No, score=-2 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=trustwave.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id AP2d8oDZ5rbQ for <acme@ietfa.amsl.com>; Tue, 10 Jul 2018 05:09:27 -0700 (PDT)
Received: from seg-node-chi-03.trustwave.com (seg-node-chi-03.trustwave.com [204.13.200.202]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id A3FF1130E75 for <acme@ietf.org>; Tue, 10 Jul 2018 05:09:27 -0700 (PDT)
Received: from NAM05-DM3-obe.outbound.protection.outlook.com (Not Verified[216.32.181.113]) by seg-node-chi-03.trustwave.com with Trustwave SEG (v8, 0, 6, 10791) (using TLS: TLSv1.2, AES256-SHA256) id <B5b44a1f40003>; Tue, 10 Jul 2018 07:09:24 -0500
Received: from SN6PR07MB4575.namprd07.prod.outlook.com (52.135.95.19) by SN6PR07MB5039.namprd07.prod.outlook.com (52.135.121.81) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.930.20; Tue, 10 Jul 2018 12:09:22 +0000
Received: from SN6PR07MB4575.namprd07.prod.outlook.com ([fe80::d0e2:e12:541d:c131]) by SN6PR07MB4575.namprd07.prod.outlook.com ([fe80::d0e2:e12:541d:c131%2]) with mapi id 15.20.0930.022; Tue, 10 Jul 2018 12:09:22 +0000
From: Corey Bonnell <CBonnell@trustwave.com>
To: Jacob Hoffman-Andrews <jsha@eff.org>, Roland Shoemaker <roland@letsencrypt.org>, "acme@ietf.org" <acme@ietf.org>
CC: Hugo Landau <hlandau@devever.net>
Thread-Topic: [Acme] Handling non-conformant CAA property names in ACME-CAA
Thread-Index: AQHUCNfwmw4vM10pkkesYQHeJVFYOaSHwCKAgAB4y4A=
Date: Tue, 10 Jul 2018 12:09:22 +0000
Message-ID: <AD5192BA-2792-4C4F-98DF-C2789C423A9C@trustwave.com>
References: <DC2B6BEA-713F-468E-A374-97C3A01CFEAF@letsencrypt.org> <63753ab2-2b4b-ec15-f357-373b7e681aab@eff.org>
In-Reply-To: <63753ab2-2b4b-ec15-f357-373b7e681aab@eff.org>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
authentication-results: spf=none (sender IP is ) smtp.mailfrom=CBonnell@trustwave.com;
x-originating-ip: [204.13.202.248]
x-ms-publictraffictype: Email
x-microsoft-exchange-diagnostics: 1; SN6PR07MB5039; 7:+EK5RzSstZ7OswzNfQuH7RRZWJTe7rUoqOT5UENLFMzQ1GwsRBnNmwH8v8vbdCCQTL6bSUo7b3bDfFXJcJZVAJjr0VL1adznIh49IhiSHL4/ftd6cnaZIiQcvg3gvD9VtMkkn9eJXJsapP1XoFZum92viMrqTrpIAcQ4j+HmpSZ7nYo8DAYUWDKdTyokDAU3+Oodd/gawn/zrLxwwu8qN2z+4HRsoHfYIe+ilV/ToEnEAsnDmTKm9S+b35yiXUt5
x-ms-exchange-antispam-srfa-diagnostics: SOS;
x-ms-office365-filtering-correlation-id: 47169f5e-9158-4ae2-4917-08d5e65df8c4
x-microsoft-antispam: UriScan:; BCL:0; PCL:0; RULEID:(7020095)(4652040)(8989117)(5600053)(711020)(4534165)(4627221)(201703031133081)(201702281549075)(8990107)(2017052603328)(7153060)(7193020); SRVR:SN6PR07MB5039;
x-ms-traffictypediagnostic: SN6PR07MB5039:
x-microsoft-antispam-prvs: <SN6PR07MB5039380BBD0D62EC2E450E0FCF5B0@SN6PR07MB5039.namprd07.prod.outlook.com>
x-exchange-antispam-report-test: UriScan:(232896897485771)(192374486261705)(171964332516350);
x-ms-exchange-senderadcheck: 1
x-exchange-antispam-report-cfa-test: BCL:0; PCL:0; RULEID:(6040522)(2401047)(5005006)(8121501046)(93006095)(93001095)(10201501046)(3231311)(944501410)(52105095)(3002001)(149027)(150027)(6041310)(20161123558120)(201703131423095)(201702281528075)(20161123555045)(201703061421075)(201703061406153)(20161123564045)(20161123562045)(20161123560045)(6072148)(201708071742011)(7699016); SRVR:SN6PR07MB5039; BCL:0; PCL:0; RULEID:; SRVR:SN6PR07MB5039;
x-forefront-prvs: 0729050452
x-forefront-antispam-report: SFV:NSPM; SFS:(10019020)(346002)(396003)(376002)(39860400002)(366004)(136003)(52054003)(189003)(199004)(68736007)(476003)(4326008)(83716003)(110136005)(53936002)(316002)(105586002)(106356001)(6246003)(2906002)(86362001)(478600001)(486006)(5660300001)(2501003)(5250100002)(6512007)(26005)(6306002)(25786009)(82746002)(2616005)(14444005)(446003)(15974865002)(66066001)(102836004)(99286004)(36756003)(6116002)(72206003)(966005)(80792005)(8936002)(186003)(6486002)(33656002)(229853002)(6506007)(81156014)(7736002)(14454004)(305945005)(256004)(8676002)(81166006)(6436002)(97736004)(3846002)(76176011)(11346002)(2900100001)(19400905002); DIR:OUT; SFP:1102; SCL:1; SRVR:SN6PR07MB5039; H:SN6PR07MB4575.namprd07.prod.outlook.com; FPR:; SPF:None; LANG:en; PTR:InfoNoRecords; MX:1; A:1;
received-spf: None (protection.outlook.com: trustwave.com does not designate permitted sender hosts)
x-microsoft-antispam-message-info: 6xkPIaqqpYvxCRJA3YdZcZ8eG12KgKSRCP8XbDi4CiKjoKW1P1RxmnYogq0tDT6qI5vysTvvr2IIKR4QK5qk0GI7VW3DFyQnc5qSXaZYMifndD5+2NeIbBXPFF9VmCjatGvTjljL2iBdKXTQCbyflvGMUmxWaIwjskoL8//r+eqzDJyYEGxKbxa2lwSz8HNpmK36l7NLpSpk9aDGH0zmFTHvMQl/D+/9Gt/HCqKmOE4sWxcEloYhRZMx1sRp+VZvFzHsa5QMFT4D8dRD/7ffYaO8qquYRs6KuV2eeUQjhfMOiWOIZ95mgXXNYeEgDiW+REijc0QcmPBugvpvDvFAl8dQvitYg4rkXf/BGV4SC2Y=
spamdiagnosticoutput: 1:99
spamdiagnosticmetadata: NSPM
Content-Type: text/plain; charset="utf-8"
Content-ID: <F27E1C65C7036E45B991534782BB8FD6@namprd07.prod.outlook.com>
Content-Transfer-Encoding: base64
MIME-Version: 1.0
X-OriginatorOrg: trustwave.com
X-MS-Exchange-CrossTenant-Network-Message-Id: 47169f5e-9158-4ae2-4917-08d5e65df8c4
X-MS-Exchange-CrossTenant-originalarrivaltime: 10 Jul 2018 12:09:22.1503 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: cb1dab68-a067-4b6b-ae7e-c012e8c33f6a
X-MS-Exchange-Transport-CrossTenantHeadersStamped: SN6PR07MB5039
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=trustwave.com; s=080318_segcloud; t=1531224565; bh=Vx51PmCZmoCCiJWUR24BX9sEO3pijs3SSfxsCh19k/s=; h=From:To:CC:Subject:Thread-Topic:Thread-Index:Date:Message-ID: References:In-Reply-To:Accept-Language:Content-Language: X-MS-Has-Attach:X-MS-TNEF-Correlator:authentication-results: x-originating-ip:x-ms-publictraffictype: x-microsoft-exchange-diagnostics: x-ms-exchange-antispam-srfa-diagnostics: x-ms-office365-filtering-correlation-id:x-microsoft-antispam: x-ms-traffictypediagnostic:x-microsoft-antispam-prvs: x-exchange-antispam-report-test:x-ms-exchange-senderadcheck: x-exchange-antispam-report-cfa-test:x-forefront-prvs: x-forefront-antispam-report:received-spf: x-microsoft-antispam-message-info:spamdiagnosticoutput: spamdiagnosticmetadata:Content-Type:Content-ID: Content-Transfer-Encoding:MIME-Version:X-OriginatorOrg: X-MS-Exchange-CrossTenant-Network-Message-Id: X-MS-Exchange-CrossTenant-originalarrivaltime: X-MS-Exchange-CrossTenant-fromentityheader: X-MS-Exchange-CrossTenant-id: X-MS-Exchange-Transport-CrossTenantHeadersStamped; b=YtNLpsCy7oxCj0Ijjv3Qu0C1HYKFYCPM3hywGHXrCag9KgpGzug9oBjqe4NVli8he lCvh4C9/l9rmOG6U0XlujQDxuJ3rZ/0UjekuU5uIbD3VJI0Vrfbwz+IlvXLpYX/U1J zyn5+AFs9u9C3fYGuEOaKy+3eDZClPbAwYY6JIpfWqOIV92HAEr72eXXikHC8LfJen LmxsAR9lpNtBBAx09eVhykdP0BsdKxmM/fazQRgBPyYqa0wef5S5aEmcJWBfJ/uD00 thIkMyMFFPbjKL6vggNdgIdacfRImj/cMYbSj5MkkIhNrh9vaWZFDAbR+ktorDUHz7 jIt0X0sGqSp8g==
Archived-At: <https://mailarchive.ietf.org/arch/msg/acme/zV6EA0mwbP0kumRXIEj1KSu7QCg>
Subject: Re: [Acme] Handling non-conformant CAA property names in ACME-CAA
X-BeenThere: acme@ietf.org
X-Mailman-Version: 2.1.27
Precedence: list
List-Id: Automated Certificate Management Environment <acme.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/acme>, <mailto:acme-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/acme/>
List-Post: <mailto:acme@ietf.org>
List-Help: <mailto:acme-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/acme>, <mailto:acme-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 10 Jul 2018 12:09:31 -0000
Hi Jacob, Perhaps not as elegant and concise, but a workaround would be to temporarily (until 6844-bis gets incorporated into the Baseline Requirements) prohibit multiple parameters in the same CAA record and instead require that multiple parameters span multiple issue/issuewild records with the same Issuer Domain Name. For example, the following CAA issue record: CAA 0 issue "acmeca.com; validationmethods=http-01; accounturi=https://api.acmeca.com/acct/1" could be expressed with two records: CAA 0 issue "acmeca.com; validationmethods=http-01" CAA 0 issue "acmeca.com; accounturi=https://api.acmeca.com/acct/1" This isn't very DRY, but this would avoid interoperability conflicts with tooling and other CAs that refuse to issue certificates when encountering CAA records with invalid syntax. Thanks, Corey Bonnell Senior Software Engineer Trustwave | SMART SECURITY ON DEMAND www.trustwave.com <http://www.trustwave.com/> On 7/9/18, 8:57 PM, "Acme on behalf of Jacob Hoffman-Andrews" <acme-bounces@ietf.org on behalf of jsha@eff.org> wrote: There's a similar issue for parameters: RFC 6844 section 3 says each name-value pair is separated by a semicolon: https://scanmail.trustwave.com/?c=4062&d=9ITE2_Zkd4Asykvo5V46RlY2wgex49JVgDUDQNU2fg&s=5&u=https%3a%2f%2ftools%2eietf%2eorg%2fhtml%2frfc6844%23section-3 > issue <Issuer Domain Name> [; <name>=<value> ]* : The issue property RFC 6844 section 5.2 says each name-value pair is separated by a space: https://scanmail.trustwave.com/?c=4062&d=9ITE2_Zkd4Asykvo5V46RlY2wgex49JVgDVWTd4-IA&s=5&u=https%3a%2f%2ftools%2eietf%2eorg%2fhtml%2frfc6844%23section-5%2e2 > issuevalue = space [domain] space [";" *(space parameter) space] For 6844-bis, in the LAMPS WG, we concluded that the latter was most likely an error in the ABNF, and that semicolons were preferable: https://scanmail.trustwave.com/?c=4062&d=9ITE2_Zkd4Asykvo5V46RlY2wgex49JVgGJWEd4-KQ&s=5&u=https%3a%2f%2ftools%2eietf%2eorg%2fhtml%2fdraft-ietf-lamps-rfc6844bis-00%23section-5%2e2 > parameters = (parameter *WSP ";" *WSP parameters) / parameter ACME-CAA's examples use semicolons: https://scanmail.trustwave.com/?c=4062&d=9ITE2_Zkd4Asykvo5V46RlY2wgex49JVgGJSE40wKQ&s=5&u=https%3a%2f%2ftools%2eietf%2eorg%2fhtml%2fdraft-ietf-acme-caa-03%23appendix-A > http://scanmail.trustwave.com/?c=4062&d=9ITE2_Zkd4Asykvo5V46RlY2wgex49JVgDAHRt8wew&s=5&u=http%3a%2f%2fexample%2ecom IN CAA 0 issue "http://scanmail.trustwave.com/?c=4062&d=9ITE2_Zkd4Asykvo5V46RlY2wgex49JVgGRQFokzLA&s=5&u=http%3a%2f%2fexample%2enet%3b \ > account-uri=https://example.net/account/1234; \ > validation-methods=dns-01" We resolved the hyphen question on the basis of interoperability: Some DNS UIs rejected setting CAA records with hyphens in property names, so we did the simple thing and removed them. The semicolon question is not so easily solved. There is no unambiguous reading of RFC 6844, no reason to consider section 3 more normative than section 5.2 or vice versa. I have one piece of interop data: While Route53 rejected hyphens in property names, it accepts semicolons separating name-value pairs. My preference is for ACME-CAA to continue follow the RFC 6844bis interpretation. What are others' thoughts? _______________________________________________ Acme mailing list Acme@ietf.org https://scanmail.trustwave.com/?c=4062&d=9ITE2_Zkd4Asykvo5V46RlY2wgex49JVgGMHRNQ_Kw&s=5&u=https%3a%2f%2fwww%2eietf%2eorg%2fmailman%2flistinfo%2facme
- Re: [Acme] Handling non-conformant CAA property n… Hugo Landau
- Re: [Acme] Handling non-conformant CAA property n… Tim Hollebeek
- Re: [Acme] Handling non-conformant CAA property n… Corey Bonnell
- Re: [Acme] Handling non-conformant CAA property n… Tim Hollebeek
- Re: [Acme] Handling non-conformant CAA property n… Jacob Hoffman-Andrews
- Re: [Acme] Handling non-conformant CAA property n… Salz, Rich
- Re: [Acme] Handling non-conformant CAA property n… Ryan Sleevi
- Re: [Acme] Handling non-conformant CAA property n… Tim Hollebeek
- Re: [Acme] Handling non-conformant CAA property n… Ivan Ristic
- Re: [Acme] Handling non-conformant CAA property n… Ryan Sleevi
- [Acme] Handling non-conformant CAA property names… Roland Shoemaker
- Re: [Acme] Handling non-conformant CAA property n… Salz, Rich
- Re: [Acme] Handling non-conformant CAA property n… Hugo Landau